Anthem Breach Sounds a Healthcare Alarm

The announcement from health insurer Anthem Inc. that a hacking incident compromised a database reportedly containing personal information for up to 80 million individuals makes it crystal clear that the healthcare sector has become a new favorite target for hackers.

"The lesson to be learned from this incident is that outsiders see great value in the data maintained by healthcare providers, health plans and business associates," says attorney David Holtzman, vice president of compliance at security consulting firm Cynergistek. "Organizations must be proactive in evaluating their networks and scanning for gaps in the safeguards to their data."

In the wake of the Feb. 5 revelation of the breach, the healthcare industry is anxiously awaiting more details about the nature of the attack. A senior White House official and lawmakers are saying the incident is part of a disturbing trend of massive data breaches impacting consumers' information. And security experts say the incident could be a strong catalyst for healthcare to ramp up data security to catch up to other business sectors.

Anthem told the Los Angeles Times that suspicious activity was first noticed and reported Jan. 27. Two days later, an internal investigation verified that the company was a victim of a cyber-attack. The affected database was not encrypted, according to the news report.

Some news reports are already pointing the finger at Chinese hackers as the possible culprits in the Anthem attack. But in this early stage of the investigation, security experts urge skepticism about attribution (see: Anthem Breach: Chinese Hackers Involved?).

Biggest Healthcare Breach?

When details of the Anthem breach are confirmed, it's highly likely the incident will rank as the largest health data breach since enforcement of the HIPAA breach notification rule began in September 2009 (see Update: Top 5 Health Data Breaches). The federal tally of major healthcare breaches now lists an incident involving the military health plan TRICARE and affecting 4.9 million individuals as the biggest breach. And the largest hacking attack in the healthcare sector, before Anthem, was an incident involving Community Health Systems last summer, which affected 4.5 million individuals.

A spokeswoman for the Department of Health and Human Services' Office for Civil Rights, which oversees HIPAA enforcement, confirmed to Information Security Media Group that the Anthem incident has not yet been reported to OCR, although the incident would qualify as a breach under HIPAA, based on the type of information the company says was exposed.

"Any organization that holds sensitive data is at risk," the OCR spokeswoman says. "This is why it is so important that HIPAA covered entities and their business associates assess and address the risks to the ePHI. Organizations should conduct a careful review of their risk analysis and risk management plans to ensure that appropriate safeguards are in place to address the threats and vulnerabilities to individuals' data."

Attention Grabber

The massive Anthem incident immediately caught the attention of top U.S. government officials. White House cybersecurity czar Michael Daniel - officially a special assistant to the president and cybersecurity coordinator - touched on the Anthem breach in a Bloomberg-hosted webinar on February 5 devoted to the Obama administration's cybersecurity agenda.

"Obviously it's quite concerning that we would have yet another intrusion of this size, following on what some people have referred to, 2014, as the 'Year of the Intrusion' or the 'Year of the Hack,'" Daniel said, noting that he is also a potential victim of the Anthem breach.

While Daniel confirmed that the FBI is investigating the intrusion, he declined to comment further on the breach, noting that it was still "early on" in the investigation. "I'm sure we'll be learning a lot more over the next few days as we dig in, and learned what happened to them," he said.

But Daniel did offer this advice to consumers who may have been affected: "Watch your credit score and your identity tracking. Obviously maybe change the password you use that's associated with that, which would include me."

Rep. Lynn Westmoreland, R-Ga., Chairman of the Intelligence Committee's NSA and Cybersecurity Subcommittee, said: "The Anthem hack shows the immediate need for enhanced cybersecurity measures, for both national security purposes and to protect our citizens. The hackers have exposed the weaknesses in our current system, and have jeopardized sensitive and personal data. I find this breach is unacceptable and will work hard to review and strengthen our nation's cybersecurity laws to improve our defenses against cyber attacks."

The Anthem breach will be "a game changer" because it could potentially affect 25 percent of the U.S. population, says Rebecca Herold, partner and co-owner of HIPAA Compliance Tools and CEO of The Privacy Professor. "This could establish a starting point for state attorneys general taking more action to enforce HIPAA, given the vast proportion of the population involved," she says.

Sophisticated Attack?

Anthem CEO Joseph Swedish portrayed the breach incident as a "very sophisticated external cyber-attack." But not everyone is buying that explanation, based on the company's track record.

"Call me a skeptic; I am not yet convinced that this was the result of a sophisticated attack on a high-value target," says Holtzman, a former senior adviser at the Department of Health and Human Services' Office for Civil Rights. "Recall that in 2013 ... Wellpoint Inc. [now called Anthem] settled with OCR for $1.7 million over allegations of improper safeguards for e-PHI," he notes. "The evidence in that incident was that over a period of more than six months, Anthem BC/BS of California allowed unauthorized access through its online health insurance application portal. The cause was found to be technical modifications performed to applications associated with the website had not been tested or checked to see if they performed as intended. The critical gap it created allowed outsiders - today we call them hackers - to access the information system."

David Kennedy, CEO of security consulting firm TrustedSec, says hackers are now shifting gears to target healthcare because other industries are more secure. "The medical industry really needs to step it up and protect their personal information. Having access to 80 million individuals personal information is bad," he says. "A breach can occur to anyone, but there needs to be better protection around consumer data."

It's not just large companies like Anthem - which is the second largest health insurer in the U.S. - that need to be on heightened alert about the threat hackers pose, says Cynergistek's Holtzman.

"All organizations that maintain health information, patient claims and payment data are high value targets," he says. "The risk is that small and medium-size organizations may become jaded into thinking they are too small to of interest to cybercriminals or insiders who want to steal their information."

Kennedy of TrustedSec calls on healthcare organizations to use "appropriate and proven technologies such as hashing, encryption, and other methods to protect information. ... There are practices that, if followed, can make it extremely difficult for a hacker to compromise an organization. It's about going back to good practices, and the fundamentals."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.